Skip to main content
Question

Yosemite 10.10.5 keychain issues with AD users and Casper Imaging...

  • August 28, 2015
  • 3 replies
  • 22 views
T
Forum|alt.badge.img+4

Dear Friends,

I am working on a Yosemite 10.10.5 "image" using Casper Imaging. Our use log-in using AD. At first log-in these users get the Keychain reset pop-up. These users have never logged on before so it's some I am deducing that it's a left over from the dummy user I used to make packages with Casper. I have tried to use Casper imaging to replace ~/Library/Keychains/ with an empty folder but that didn't seem to work. Any fellow Casper users found a good solution to this?

These are students logging into a drop-in style lab so removing the keychain at the start of a session really doesn't bother me and I guess I could script that but I wanted to see if anybody had found another way using the JSS or other tools. Thanks in advance for helping me tighten my thinking cap!

Sincerely,

Eric T Gadsby

    3 replies

    A
    Forum|alt.badge.img+2
    • archimboldi
    • New Contributor
    • August 29, 2015

    Hi, Eric

    I have been dealing with these issues too, and have yet to come up with a good solution. In our AD environment it is happening to existing/established users on their primary workstations - not just on first login. Questions:

    Is AD forcing a password change at first login?

    Are you seeing popups for the local items keychain, the login keychain, or both?

    Since your issue is affecting only first logins, you could script the deletion of one or both keychains and deploy the script with a policy scoped to the the machine and triggered by login with a frequency of "once per user". The problem with deleting the keychains is that it requires an immediate reboot - not exactly an ideal solution. I wonder if their is a way to recreate the keychains without rebooting. If you want to script it you could do something like this:

    userName=/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'
    LIKC=system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}'
    rm -rf /Users/$userName/Library/keychains/$LIKC

    The last line deletes the the local items keychain only; if you need to delete login.keychain as well (or instead) you can edit accordingly. Deleting the login keychain is a last resort for me, since it contains wifi certs, etc that have to be re-created. I'm also very curious to hear how others are managing these keychain issues in AD environments.

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • August 29, 2015

    @tu-egadsby & @archimboldi I'd have a look through the packages you've created & remove any items within ~/Library/Keychains from them & then try.

    It's not common to have keychain issues on new accounts.

    K
    Forum|alt.badge.img+7
    • Kprice
    • Contributor
    • August 29, 2015

    Do you happen to have any .dmg installers that are set to FEU/FUT? I went round and round with the Keychain folder not being created properly and found that to be an issue. Check this out, might help. In my case I was just reimaging to solve the problem. https://jamfnation.jamfsoftware.com/discussion.html?id=6211

    Terms & ConditionsCookie settingsAccessibility statement